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Abstract. 

We demonstrate how adversaries with unbounded computing resources can break 
Quantum Key Distribution (QKD) protocols which employ a particular message 
O | authentication code suggested previously. This authentication code, featuring low key 

1 1 , consumption, is not Information-Theoretically Secure (ITS) since for each message 

Ch the eavesdropper has intercepted she is able to send a different message from a set of 

messages that she can calculate by finding collisions of a cryptographic hash function. 
However, when this authentication code was introduced it was shown to prevent 
1-1 straightforward Man-In-The-Middle (MITM) attacks against QKD protocols. 

In this paper, we prove that the set of messages that collide with any given message 
under this authentication code contains with high probability a message that has small 
Hamming distance to any other given message. Based on this fact we present extended 
MITM attacks against different versions of BB84 QKD protocols using the addressed 
C^) authentication code; for three protocols we describe every single action taken by the 

q>^ adversary. For all protocols the adversary can obtain complete knowledge of the key, 

and for most protocols her success probability in doing so approaches unity. 

Since the attacks work against all authentication methods which allow to calculate 
. . colliding messages, the underlying building blocks of the presented attacks expose 

the potential pitfalls arising as a consequence of non-ITS authentication in QKD- 
^ postprocessing. We propose countermeasures, increasing the eavesdroppers demand for 

computational power, and also prove necessary and sufficient conditions for upgrading 
the discussed authentication code to the ITS level. 
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1. Introduction 

Quantum key distribution (QKD) is a cryptographic key-agreement protocol consisting 
of two steps: quantum communication and measurements, and classical post processing. 
The outstanding property of QKD is that it is an Information-Theoretically Secure (ITS) 
and universally composable (UC) protocol given that its classical communication is 
performed over an authentic channel (note that all key-agreement protocols are insecure 
over non-authentic channels). Thus QKD is a very powerful cryptographic primitive but 
in order to be useful for practical key agreement purposes it must be composed with an 
independent primitive enforcing the mentioned requirement for authenticity of classical 
communication. 

The standard cryptographic approach ensuring authenticity of communication 
messages against malicious attackers is to use a message authentication code (MAC) [1] . 
A convenient class of MACs are systematic MACs which replace the original message 
with a concatenation of the message itself and an additional tag which is the image of a 
keyed hash function applied to the message. It is well-known that Strongly Universal 



(SU 2 ), and more generally Almost Strongly Universal (ASU 2 ) hashing (see Appendix 
[C| ) is an ITS primitive that can be used to calculate systematic MAC tags. 

1.1. Related work 

Very recently authentication based on ASU2 hashing was explicitly shown [2] to be also 
UC (a fact that has been used implicitly for quite some time). Therefore UC message 
authentication with ASU 2 hashing can be composed with UC quantum key distribution 
over authentic channels to form a UC (quantum-classical) key agreement protocol over 
non-authentic channels. Thus, ASU 2 hashing is sufficient for the authentication of the 
classical messages exchanged during any QKD protocol. However, although composing 
two UC primitives is sufficient for getting a UC composed protocol this is not a priori 
necessary as in principle it is not excluded that it can be shown directly that the final 
protocol is UC. In this sense it might still be possible that QKD over non-authentic 
channels can be made secure without relying on ASU 2 hashing. Alternatives using 
weaker authentication have been proposed, and this paper focuses on the method of 
Ref. [3], that puts forward a hash function which is a composition of an (inner) known 
public hash function (like SHA) and an (outer) SU 2 function. It was proven that QKD 
using this authentication is secure against an eavesdropper that attempts to break the 
protocol using a straightforward " man-in-the-middle" (MITM) attack, as defined below. 
Later, in Refs. [U [5] it was observed that an eavesdropper can apply more advanced 
strategies than a straightforward MITM and get a significant leverage by being able to 
break QKD with particular realizations of post-processing. It has, however, been argued 
[31 |6] that this weakness occurs only in specific post processing realizations, while in 
practical (or generic) ones the proposed eavesdropping techniques remain inadequate. 
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1.2. New results 

In this paper we use the adversarial approaches of [H [5], extend them significantly 
to full scale eavesdropping strategies, and demonstrate in detail how to break several 
explicit QKD protocols, that employ the authentication method of Ref. [3], under the 
assumptions that the adversary possesses unbounded computation resources and in some 
cases quantum memory. The general attack-pattern is a sophisticated (interleaving) 
MITM attack, in which the adversary (Eve) carries out independent protocols with the 
legitimate parties (Alice and Bob). In doing so Eve manages to modify her respective 
protocol messages such that these collide with those of Alice and Bob under the 
first part of the authentication of Ref. [3]. Depending on the protocol variants (e.g., 
immediate vs. delayed authentication), the different attacks which we study address 
sifting, error correction, confirmation, and privacy amplification or only some of these 
steps. These techniques can be used to break a very broad class of post-processing 
protocol realizations which include those routinely used in practical implementations. 
With significant probability that in most attacks approaches unity Eve shares a key 
with the legitimate parties. 

We also consider some countermeasures, which consist of modifications of the two- 
step authentication mechanism. These modifications result in a range of complications 
to Eve: (i) increasing Eve's computational load substantially, (ii) forcing her to do 
considerable online computation rather than offline; and (iii) depriving her of any attack 
potential by finally re-establishing ITS for the modified construction. We give necessary 
and sufficient conditions for ITS with this construction; that the conditions are sufficient 
is already known from earlier results, but that the conditions are necessary is, as far as 
we know, a new result. 

1.3. Structure of the paper 

Section [2] contains a motivation on why authentication is needed in QKD, shortly 
reviews message authentication codes and Universal hashing, and gives a more detailed 
description of the authentication method under study here. Section [3] introduces the 
attack vectors and then details three different QKD protocols and attacks against them 
in a step-by-step fashion. In Tables [2] and [3] we summarize the attacks and the gained 
knowledge on the key for each of them, as well as for a number of further protocol 
versions. Section [4] discusses how the security of the authentication method can be 
improved and presents a theorem that gives necessary and sufficient conditions for ITS 
of the modified method. The conclusions and outlook are given in Section |5j The 
Appendices contain technical proofs and summarize some definitions of Universal hash 
function families. 
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2. Authentication in QKD 

The need for authentication becomes clear if we consider for a moment the opposite 
case, i.e. an "unprotected" channel that allows arbitrary modification of messages in 
transit. 

2.1. Man-in-the-middle attacks and Message Authentication Codes 

The unprotected channel will enable a straightforward "man-in-the-middle" (MITM) 
attack: 

Definition 1 (straightforward man-in-the-middle (MITM) attack). In the straightfor- 
ward man-in-the-middle attack the eavesdropper (Eve) builds or buys a pair of QKD 
devices identical to those of the legitimate parties (Alice and Bob) and cuts "in the mid- 
dle" the quantum and classical communication channels connecting Alice and Bob. She 
now connects each of her devices to the "loose ends" of the quantum and classical chan- 
nels and launches two independent QKD sessions, one with Alice and the other with 
Bob. Eve effectively pretends to be Bob to Alice and Alice to Bob. Eventually she shares 
a (different) key with each of the legitimate parties which allows her to communicate 
with them independently. If Alice sends an encrypted message to Bob, Eve can intercept 
the message and decrypt it, encrypt it with the key she shares with Bob, and send it to 
Bob. 

Alice and Bob never come to realize that the security of their communication is 
completely lost. This is completely analogous to the classic MITM attack against the 
unauthenticated Diffie-Hellman key agreement protocol jU Chap. 12.9.1]. Obviously, 
any (classic or quantum) key agreement protocol that has no proper authentication 
(or integrity check) of messages exchanged between the communicating parties can be 
broken with a similar impersonation attack. 

So ideally an adversary should not be able to insert messages into the channel, and 
moreover messages sent by one legitimate user to the other are always delivered and 
are not modified. However, there are no a-priori authentic communication channels. 
Appending a so-called Message Authentication Code (MAC) to each communication 
message can mimic an authentic channel, but cannot guarantee delivery of messages, as 
these can in practice always be blocked. 

Definition 2 (Message Authentication Code (MAC)[lJ). A Message Authentication 
Code (MAC) algorithm is a family of functions hx parameterized by a secret key K 
with the following properties: (i) given a message x and a key K, the MAC value 
hxix) (also called tagj should be easy to compute, (ii) it maps a message x of arbitrary 
finite bitlength to a tag hx{x) of fixed bitlength n, and (Hi) given a description of the 
function family h, for every fixed allowable value of K it must be computation-resistant. 
The last property means that given zero or more message-tag pairs (x«, hxixi)) it is 
computationally infeasible to compute any message-tag pair (x, hxix)) for any new input 
x 7^ X{ without knowing K . 
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Normally, MACs are either based on (a) cryptographic hash functions (e.g. HMAC- 
SHA-256 based on SHA-256), on (b) block cipher algorithms (e.g. AES-CMAC based 
on AES), or on (c) Universal hashing (see Appendix C). Message authentication codes 
based on (a) or (b) typically use one key for many messages, and offer computational 
security, i.e. they can only be broken with sufficient computing power (or when a hidden 
weakness of the algorithm is detected). 



2.2. Universal hashing and UC security 

MACs based on Universal hashing have to use one (new) key per message, but offer 
information-theoretic security which is independent of the adversary's computing power. 
In more detail, for SU2 hash functions, a random guess of the MAC tag is provably the 
best possible attack, while e-ASU2 hash functions still provide a strict upper bound 
(namely e) on the attacker's success probability to substitute an observed message- 
tag pair with another valid message-tag pair (substitution attack) or to insert a valid 
message-tag pair. 

Universal hashing was originally proposed by Wegman and Carter [HE]. It was 
identified as an appropriate match for QKD, as Wegman-Carter's and later constructions 
P4T2"] consume relatively low amount of key. The aim is to have less key consumption 
than the key generation in a typical QKD session [13], so that each session can reserve 
a portion of its output for authentication of the subsequent one. Then, the process only 
needs to be kick-started by an initial, one-time, pre-distributed secret. 

Security analysis of QKD (see, e.g., Ref. [H] and references therein for a recent 
overview) has typically been based on the requirement that the classical post-processing 
communication is secured by a MAC based on Universal hashing, to upper bound an 
adversary's chances to modify or insert messages without getting detected. In addition 
UC-security definitions for QKD have been established pT5HT8] . As a consequence 
combining the two e-UC-secure protocols QKD and ASU 2 authentication yields a 
joint, UC-secure key growing mechanism over non-authentic classical channels (see 
[2]). Thus, MACs based on ASU2 hashing are sufficient for security, but it is an open 
question whether they are also necessary, and what security would be obtained for other 
alternatives. 



2. 3. The non-ITS authentication mechanism of Ref. 

The authentication mechanism proposed in Ref. [3] aimed to consume less key than 
ASU2 authentication. The intended goal is a positive key balance of the combination 
QKD plus authentication even in realizations that use (relatively) short blocks in the 
post processing step. Note that later experimental progress has made these objectives 
not so relevant, as short key blocks are no longer necessary from an implementation 
perspective |19j . Still, a complete security analysis of the authentication mechanism 
of [3] is intriguing from a theoretical point of view as the mechanism has interesting 
properties not shared by any of the methods mentioned above. 
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To start with, we summarize the proposal of Ref. [3] and introduce some notation 
(see also Table [I]). The proposal relies on a two-step hash function evaluation: 
t = 9K{fn) '■= hxififn)), where / : M. — > Z is a publicly known hash function and 
hx '■ Z — )■ T belongs to an SU2 hash function family % (see Appendix C). Here, M. is 
the set of messages to be authenticated, Z is an intermediate set of strings, and T is 
the set of tags with \M\ > \Z\ > |T|. 



2.3.1. Insertion of messages is ruled out Now assume that Eve attempts to calculate 
or guess the tag for a fixed message m E that she wants to insert. In that case 
she has a success probability of 1/|7~| (irrespective of her computing power). This 
is because the key K which identifies the SU2 hash function is not known to her. 
Thus, the authentication mechanism is (first-)preimage resistant, i.e. knowledge of the 
authentication tag alone does not allow to find messages yielding the same tag. 



2.3.2. Substitution with given messages is ruled out Let us further assume, Eve has 
intercepted a (valid) message-tag pair (m A , t) from Alice and wants to substitute it with 
her fixed message m E and some tag. Then Eve's chances increase slightly because she 
now has access to the intermediate value f(m A ), and can check if f(m A ) = f(m E ). If 
there is a collision, Eve knows that (m E , t) is a valid message-tag pair and can just send 
this, otherwise she guesses the tag as above. The total probability of success is now 
bounded by the guessing probability plus the collision probability, and assuming that 
m A is random to Eve and that / is a good hash function, the collision probability is 
low (for details see j3]). So this two-step authentication works well in a situation when 
Eve is given a fixed message m E to generate the tag for. One immediate consequence 
is that Eve cannot perform the straightforward MITM attack (cf. Definition [T]) with 
significant success probability since she would need to generate tags for messages m E 
from her devices without knowledge of K, for which case the above bound applies. 



2.3.3. The weakness However, one should note that using the intercepted message- 
tag pair (m A ,t) and enough computational power, Eve can in principle search for 
other preimages of t under /. If she can find (at least) one message m E such that 
/(m A ) = f(m E ) then ^(/(m A )) = /iK-(/(m E )) and therefore (m E ,£) is a valid message- 
tag pair for any key K. She can now replace m A with m E with success probability of 
100%. The question now is if this (one of these) m E can be used in place of the message 
m E . It would seem that, if Eve strictly follows the appropriate QKD protocol (random 
settings, best possible bit error rate, . . . ), this is not possible. 

However, Eve is not forced to follow the precise requirements of the QKD protocol 
[5]; she only needs to make it seem to Alice and Bob that she does so. For example, 
Eve does not need to use random settings (e.g. preparation bases and raw keys), or 
even correctly send all settings she used. If it helps her, she can use a fixed sequence of 
settings or report other settings for some qubits than the ones actually used. 
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An early suggestion [I] was to select the privacy amplification map carefully, rather 
than generating it randomly This would give Eve a shared key with Bob, but not 
with Alice. Later, as mentioned above, it was observed that Eve may deviate from 
the QKD protocol in several places [5]. If Eve uses a fixed sequence of settings 
(e.g. measurement and preparation bases) on the quantum channel this would enable 
her to do the calculations for finding m E offline. If Eve sends the wrong settings for 
some of the qubits this will allow her to choose from several m E , to get a collision. This 
would constitute the basis for a sophisticated MITM attack that can break simplified 
QKD protocols. In these simplified protocols, the breaches could be closed by relatively 
straightforward countermeasures [5J, but the security of the standard and/or hardened 
protocols remained an open issue. We aim to settle this in the present paper. 



3. Attacks against non-ITS authentication in QKD 

In this section, we give detailed descriptions of four different attacks on three different 
explicit QKD protocols. We also give an overview of the effectiveness of this kind of 
attacks against other QKD protocols, and for different types of resources available to 
Eve. In each case, the essence of the attack is to intercept a valid message-tag pair 
(sent by Alice or Bob) and — using large computational resources and/or leveraging 
weaknesses of the public hash function algorithm — find further preimages of the tag 
(messages that hash to the same hash value as the intercepted message) that are used 
by the eavesdropper. 



3.1. Hash collisions 

Assume that Eve has intercepted a message-tag pair (m A ,t) from Alice. The following 
lemma states that (under a mild assumption) for any fixed message m E , that Eve would 
like to send, there exists with probability almost 1 a message m E , such that (i) m E is 
almost identical to m E , i.e. rfi E has small Hamming distance to m E , and (ii) (m E , t) will 
be accepted as authentic, i.e. h K {f{fh F ')) = t. 

Lemma 1. Let B be the closed ball of all messages m having a Hamming distance to 
m E not exceeding w: 

B = {m : <i#(m,m" E ) < u>} , 

and let us assume that f maps all messages in B randomly onto Z. Then the probability 
that at least one of the messages in B is validated by the given tag t = hx(f(m A )) is 

VTI = Pr {Bm E G B : h K (f(m E )) = t)} > 1 - exp (-\B\\Z\~ l ) . 

For simplicity we can loosen the bound and replace \B\ by ( ) < \B\, where £ is the 
length of the binary message m E . 

The proof of Lemma [l] is given in Appendix A Since no assumptions on the 
computational power of Eve are imposed, she will be able to find with probability 
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V^f such an m E For typical parameters, e.g. \Z\ = 2 256 , and I = 2 12 (2 13 , 2 14 , 2 15 , 
2 16 , 2 17 ), a Hamming distance w = 32 (28, 25, 22, 20, 19) is sufficient to reach a success 
probability of 99.9%. 



3.1.1. Attacking the sifting stage - hiding in the noise Let us assume that during 
the sifting stage the legitimate parties will exchange messages that contain one bit 
per preparation/measurement basis (time slot). Let us assume further that Eve can 
successfully attack the protocol (as discussed below), if she can substitute such a 
message, say m A , with a sifting message of her choice, say m E . From Lemma [T] it 
follows that if Eve replaces m A with m E instead of m E , she will introduce at this step 
(at most) an additional error e = w/t « 0.78% (0.34%, 0.15%, 0.067%, 0.031%, 0.014%) 
(with parameters from above; in the worst case each modified basis bit could result 
in one flipped sifted key bit). This strategy allows Eve to hide the substitution of 
sifting messages in the usual noise on the quantum channel, since the following error 
correction step will also remove these small additional deviations. Obviously, the larger 
the message length t, the easier Eve's task is. 



3.1.2. Correlating the sifted keys of Alice and Bob Assume for the moment that Eve 
has intercepted the quantum bits from Alice and has saved them into her quantum 
memory. Assume further that she managed to fool Alice, so that Alice announces her 
the corresponding preparation bases. Then Eve can measure the quantum bits and get 
Alice's raw key. 

The strongest of the presented attacks is based on the fact that once Eve knows 
the raw key of Alice, she can by using a modification of Bob's sifting message ensure 
with high probability that the complete sifted key of Alice will be almost identical to 



that of Bob (cf. description of Protocol 1 and step (Se") of the attack against it.). 

Lemma 2. Let d A {0, l} n be the raw key that Alice has used to prepare her quantum 
bits. Once Eve knows d A she can determine \n/2\ — k bits of any fixed sifted key s E 
that she wants Alice to create with probability 

^^>l-exp(--j (1) 

by replacing Bob's sifting message with a message b A=E that she has prepared. 

Eve's attack will succeed if a subsequence of s E (derived by deleting some elements 
without changing the order) of length at least [n/2\ — k is also a subsequence of d A . 
The proof and a simple and efficient algorithm to generate b A=E is given in Appendix 
M Note, that k = 0{y/n) is sufficient for P s X attack « 1. 



3.2. General remarks, protocol notation and settings used 

Any successful attack is based on finding protocol modifications yielding communication 
messages that collide with those of the legitimate parties under the fixed hash function in 
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Figure 1. Protocol 1 (BB84, Quantum exchange and sifting only). Time flow is 
from left to right. Single (double) lines represent classical (quantum) communication. 
Local protocol actions are depicted by boxes: p depicts state preparation, the indicator 
is a quantum measurement device, the ACK box denotes that Alice waits for Bob's 
message until she continues with the protocol, = denotes the calculation of identical 
bases, & denotes the filtering of signals (in different bases). 



the first (internal) stage of authentication throughout the complete chain of the QKD 
protocol. Therefore, in contrast to the case of authentication by universal hashing, 
now QKD post-processing protocols differing in the precise definition of their separate 
algorithmic steps (e.g. mode of authentication — immediate or delayed, exact order of 
exchange of sifting messages, whether error-correction bits are encrypted or not, etc.) 
become inequivalent and exhibit different types of vulnerabilities. For this reason each 
attack discussed below is adapted to a specific protocol. Both the protocols and the 
corresponding attacks are carefully and formally defined. 

We consider exclusively but without loss of generality the case of BB84 QKD 
protocols, as the attacks we discuss are essentially independent of the particular form of 
quantum communication. Moreover, all protocols that we study are stated as prepare- 
and-measure ones. It is, however, straightforward to adapt the attacks discussed below 
to the case of entanglement based protocols. 

It is implicitly assumed that on receiving messages Alice and Bob check their 
message tags for correctness, and that incorrect message tags lead them to conclude 
that Eve is intercepting, and to abort the protocol. In case the message authentication 
is UC-secure the resulting protocols are also UC-secure. A collection of used symbols is 
given in Table [TJ 



3.3. Protocol 1 - BB84 with immediate message authentication - Alice sends bases 
We divide the protocol into two separate parts: |(S) quantum state transmission and 



sifting, and (P) post processing (consisting of error correction, confirmation, and privacy 



amplification). Part (P) needs the result of (S) (i.e. the sifted keys) as input. 
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Table 1. Summary of symbols used in the paper. 



Symbol 



Description 



A, B, E 

Q,C 

b A {b E ), d A (cF) 



b B , d B 



P A (p e ) 

niack 

9k{-) 

b X=Y 

s A (s B ,s E ) 

„E«A /„ E^B 



(s E+ * B ) 



~E«A 



K A (K B ,K E ) 

EC := {ECi, . . . , EC n } 



CO 

p 

e 

fail 



Legitimate parties: Alice, Bob; and eavesdropper Eve. 
quantum channel, classical channel 

Alice's (Eve's) string for bases choice and raw key, resp., 

used for preparing the quantum states. 

Bob's bases choice and measurement results (i.e. his raw 

key). 

quantum state, prepared by Alice (Eve). 

notification that a party has finished its measurements. 

keyed hash function with key K. 

string indicating the positions where the parties X and Y 

successfully prepared and measured in the same basis. 

sifted key of Alice (Bob, Eve). 

sifted key shared between Eve and Alice (Bob). 

error corrected (reconciled) key of Bob. 

error corrected (reconciled) key that Eve shares with Alice. 

final key of Alice (Bob, Eve). 

final key shared between Eve and Alice (Bob). 

set of predefined parity check matrices, used for forward 

error correction in different error rate regimes. 

index into the set EC, denoting the actual parity check 

matrix ECi used. 

description of (ITS) confirmation function, 
description of (ITS) privacy amplification function, 
error rate on Q. 

notification that a partner should abort protocol. 



3.3.1. State transmission and sifting (S) 

SUMMARY: 3 classical messages are exchanged. Each classical message is accompanied 
by a corresponding tag (keyed hash value, MAC). 

1. Setup. A and B share the 3 keys A 1? K 2 , K 3 . 

2. Protocol messages. Let t\ := gK 1 {m-ack), ^2 := 9K 2 {b A ), and £3 := gK 3 {b A=B ) be the 
authentication tags used in messages (S2), (S3), and (S4), resp. 



(SI) A 


B : 


P A 


(S2) A A 


B : 


m ack, ti 


(S3) A 


B : 


b A M 


(S4) A A 


B : 


b A = B ,t 3 



3. Protocol actions. 
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(Sb) 



(Sa) A creates two random bit strings, her raw key d A , and the bases string b A , 
d A , b A G r {0, 1}^. For all pairs of bits (d A , b A ) A generates the corresponding 
quantum states p A G {p°, p 1 , p 2 , p 3 }. Using Q, A sends the quantum state 
P A = <8>k=iP A ("string" of all p A 's), i.e. ([Si]) to B. 

B creates a random bases string b B G r {0, 1}^. B measures p A in bases b B 
and obtains d B G {0, 1, empty} N , where empty corresponds to no measurement 
result at B, e.g., due to absorption in the channel, or the imperfection of the 



detectors. For all k with df 



empty, B sets bf = empty. 



(Sc) 
(Sd) 

(Se) 



(Sf) 



Using C, B sends an acknowledgement message (S2) to A. 



A waits until she has received (S2), ensuring that the measurements have been 



finished before bases exchange is performed. Using C, A sends (|S3|) to B. 
B calculates a bit string b 1 



'- A=B , such that b A=B 



1, if b A 



b B , and b A = B = 0, 



otherwise, for 1 < k < N. B removes from d B all bits d B where b A B = and 



obtains s . Using C, B sends (S4) to A. 



A removes from d A all bits d A where b A B 



and obtains s A . 



3.3.2. Post processing (P) 

SUMMARY: 3 classical messages with MACs are exchanged. 

1. Setup. A and B share 3 keys K4, K 5 , K 6 . 

2. Protocol messages. Let T A = (2, ECi(s A ), CO, CO(s A )). 



T A ,g Ki (T A ) 



fail, g Ks (f ail) 
I — 



(PI) A^B 
(P2) A ^~ B 
(P3) A B 
3. Protocol actions. 

(Pa) A estimates the parameters of Q (based on the error rate of previous rounds or 
by choosing a default value), selects a corresponding forward error correction 
algorithm ECi from a predefined set, and calculates the syndrome ECi(s A ). A 
determines a confirmation function CO, and calculates CO(s A ). A sends (PI). 

(Pb) B uses ECi and ECi(s A ) to correct s B resulting in s B . B uses CO to calculate 
CO(s B ). B checks whether CO(s B ) = CO(s A ). If the identity holds, B 



calculates the error rate e and sends it to A (P2). If not, B sends fail to 



A (P2) and aborts the protocol. 



(Pc) 



If A receives e, A determines a corresponding privacy amplification function 
P A , calculates K A = P A (s A ), and sends (P3). If A receives fail she aborts the 
protocol. 

(Pd) If B has not aborted in step ((PbJ), he now calculates K B = P A (s B ). With 
probability almost 1 (determined by the confirmation function CO), K A = K B . 



3.3.3. Attack against Protocol 1 

Eve replaces the quantum channel between Alice and Bob with ideal quantum channels 
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and her instrumentation to prepare, store, and (almost) perfectly measure quantum 
states. 

RESULT: Alice, Bob, and Eve share identical keys K A = K B = K E . 

1. Notation. 

b x : a string that deviates slightly from b x to reach a hash collision with a given tag 
t [used in messages (S3') and (S4')]. 

2. Protocol messages and messages inserted by Eve (marked by '). Let t\ := gidfaack), 



t 2 ■= gK 2 {b- 

(S2)-(S4). 
(SI) A ^ 



(SI') 
(S2) 
(S3) 
(S3') 
(S4) E 
A 
A 



E 
A 
A 
E 



(S4' 
(PI 

(P2) A 
(P3) A 



c 
c 

c v 
c 
c 
c 
c 
c 



and t 3 := g Ka { 

P A 
P E 

b A ,h 
b E ,t 2 
b E=B ,h 
b A=E ,t 3 
T A ,g K4 (T A ) 

P A ,9k 6 (P A ) 



be the authentication tags used in messages 



fail, g Ks (f ail) 
I 

. Protocol and attack actions. 

(Sa) A performs step (Sa) of the protocol (prepares p A and sends it in (SI)). 
(Sa') E intercepts (SI) from A and stores p A in her quantum memory. Then E 

performs exactly as A in step (a) of the protocol: E determines random <i E and 

b E , prepares a state p E and sends it in (SI') to B. 
(Sb) B performs step (Sb) of the protocol measuring the state E has prepared, p E , 

instead of p A , as in the protocol (in the following denoted as p A — > p E ). 
(Sc) B performs step (Sc) of the protocol, i.e. he sends (S2). 
(Sd) A performs step (Sd) of the protocol. She sends (S3). 

(Sd') E intercepts (S3), i.e. b A and the corresponding tag t 2 , and measures her 
quantum memory in bases b A and obtains an identical copy of A's raw key, 
d A . 

(Sd") E determines 6 E (e.g. using an exhaustive search), such that the intercepted t 2 
validates b E and c?h(& E ,& E ) is small (cf. Lemma and sends (S3') to B. 
(Se) B performs step (Se) of the protocol (b A — > b , 6 A=B — > 6 E=B ), obtains s B and 
sends message (S4). 

(Se') E intercepts (S4), i.e. 6 E=B and the corresponding tag £3. E removes from d E 
all bits df where b E=B = and obtains s E< ^ B ~ s B (in general s E ^ B 7^ s B 
because E had to send b E instead of her true basis choice b E in step (Sd")). 

(Se") Using the algorithm detailed in Appendix B.l E searches for a subsequence of 
d A that coincides with s E-H>B and calculates 6 A=E such that in A's next step, 
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(Sf), A would create s A ~ s E ^ B as her sifted key. Typically E will have to 
allow for 0(y/n) bits that will be different between s A = s E ^ A and s E ^ B (see 
Lemma [2]) . 

(Se'") As in step (Sd") E determines b A=E with small Hamming distance to 6 A=E , 
this time validated by t 3 obtained in step (Se'), calculates the actual sifted key 
of A, s E ^ A « s E ^ B and sends (S4') to A. 
(Sf) A performs step (Sf) of the protocol (b A=B — > 6 A=E ) and obtains s A = s E ^ A . 

Note: Eve has almost reached her goal, as s A = s E ^ A ~ s E ^ B s b holds. The 
subsequent error correction step allows her to reach K A = K E = K B : 

(Pa) A performs step (Pa) of the protocol. Eve reads (PI), and uses the syndrome 
to correct her sifted key (in case A's preparation and/or E's quantum 
measurement and preparation are not 100% perfect, so that s EoA ~ s A ). 

(Pb) B performs step (Pb) of the protocol: s A = s E ^ A = s B . 

(Pc) A performs step (Pc) of the protocol and obtains K A = P A (s A ). 

(Pc') E reads (P3), the privacy amplification function P A . E calculates K B = 
P a (s EhA ) = K A . 

(Pd) B performs step (Pd) of the protocol: K A = K E = K B . 

This attack completely breaks protocol 1. Eve has an identical copy of Alice's and 
Bob's shared "secret" key. This is the strongest possible attack. For instance, using her 
copy of the key, Eve can simply decrypt messages from, and encrypt and/or authenticate 
new messages to both parties. 

If this key is used to authenticate further QKD rounds, Eve can now continue with 
a much simpler impersonation attack, in which she does not have to calculate hash 
collisions or use her quantum memory. 



3.4- Protocol 2 - BB84 with delayed message authentication - Alice sends bases 



This protocol is very similar to Protocol 1 , the difference is the authentication method: 
the authentication is delayed and performed only at the end of the protocol verifying 
the integrity of all messages. This, however, will change details of our attack strategy: 
until the very last message we don't have to care about authentication, but at the end 
we attack the privacy amplification matrix to get enough degrees of freedom to find 
collisions (step (Pc'), see below). 

SUMMARY: 7 classical messages are exchanged. A nonce is used to enforce 
synchronization. The two last messages are authenticated with MACs. 

1. Notation. n B : random number (nonce), created by B. 

2. Setup. A and B share two keys K\, Ki. 

3. Protocol messages. Let T A = {1, ECi(s A ),CO,CO(s A )) } M A = (6 A ,T A ,P A ), 
M B = (n B ,b A=B ,e/fail). 

(51) A B : p A 

(52) A <A- B : n B 
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Figure 2. Interleaving attack against quantum exchange and sifting of |Protocol 1| a 
QKD-protocol with immediate authentication. Time flow is from left to right. Single 
(double) lines represent classical (quantum) communication. See caption of Fig. [I] for 
a description of boxes and symbols. The new boxes Ai^ denote the attack actions, 
described in protocol steps (Se) through (Se'"). Employing quantum memory Eve 
manages to bring Alice and Bob to distill a sifted key that she knows with probability 
approaching 1. 
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4. Protocol actions. Steps (Sa)-(Sf) and (Pa)-(Pd) are identical to that of protocol 1, 
with the following exceptions: (a) only the two last messages of the protocol, (P2) and 
(P3), [which are sent in step (Pb) and (Pc)] have MACs attached that authenticate 
all messages from Bob to Alice and Alice to Bob, respectively, (b) in step (Sc) the 
message (S2) contains a nonce n B , a random number that is chosen by Bob and used 
to ensure that Bob has finished measuring before the bases exchange starts. Using a 
fixed m ac k as in protocol 1 instead of the random nonce n B would allow for a trivial 
attack. 
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3.4-1- Attack against Protocol 2 (Eve only attacks messages to Bob) Eve replaces 
the quantum channel between Alice and Bob, with ideal quantum channels and her 
instrumentation to prepare, store and perfectly measure quantum states. The first part 
of the attack is similar to the attack against protocol 1 but it differs in several essential 
instances. All steps from (Sa) to (Sd') are basically the same, but messages (S2) and 
(S3) are sent without MACs. From now on the attack differs so that Eve can cope with 
the form of postponed authentication utilized in protocol 2. In particular, we assume 
that Eve cannot manipulate the message that contains the error rate e on the quantum 
channel. This could be the case, for example, if e is encoded as 16 bit integer: the 
existence of hash collisions is very unlikely, since it is impossible to reach the needed 



Hamming distance of at least 19 (see Sec. 3.1). This in turn implies, that Eve can 



also not manipulate any previous message from Bob to Alice (since she does not know 
what value of e Bob will be transmitting, she does not know which messages to prepare 
to get a hash collision). In particular, Eve cannot modify the sifting message of Bob, 
which rules out an attack analogous to the attack against protocol 1, described above. 
Amazingly, although Eve cannot modify any message from Bob to Alice, she can still 
mount the most powerful attack (Alice, Bob, and Eve share the same key)! 
RESULT: Alice, Bob, and Eve share identical keys K A = K B = K E . 

1. Protocol messages and messages inserted by Eve (marked by '). In addition to the 
definitions in the protocol above, let t 2 = gK 2 (M A ). 



A 
E 



(SI 

(sr 

(52) A 

(53) A 
(S3') E 

(54) A 
(PI) A 
(PI') E 
(P2) A 
(P3) A 
(P3 



E 



/ c 
c 
c , 
c 
c 
c , 
c 
c 
c 



E 
B 
B 
E 
B 
B 
E 
B 
B 
E 
B 



n 
b A 
b E 

6 E=B 

e/ fail,g Kl (M B ) 
P A MI- 
P E ,t 2 /- 
2. Protocol and attack actions. 

(Sa) - (Sd') Identical to those of protocol 1 (cf. Sec. 3.3.3), up to the absence of 

authentication tags in the present protocol. 
(Sd") E performs step (Sd) of the protocol (6 A — > b E ) and sends message (S3') to B. 
(Se) B performs step (Se) of the protocol (b A — > b E ), obtains 6 E=B and s B , and sends 

message (S4). 

rcrs (QA\ \ rs /,E=B QV1/-1 vnmramo fv^TTn ^/E H Ki + d ✓ , 

If. 1U1 rt . u k 



(Se') E reads message (S4), i.e. 6 E B . She removes from d E all bits d E for k : b E B = 



and obtains s 



E-H>B 



s , possibly with noise. 



(Sf) A performs step (Sf) of the protocol (b A B — > b E B ) and obtains s A . 
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(Sf) E removes from the string d A (which she knows exactly) all bits d E for 
k : b E=B = and obtains s E ^ A = s A . 

Note: Eve now shares two keys with Alice and Bob respectively s A = s E ^ A and 
s e-h>b _ g B ^ or s e«b ^ g B ag di scussec i above) but these keys are not correlated. 
After the subsequent error correction step E already shares s A = s E ^ A and 
s E-H>B = s B . Finally, attacking the privacy amplification step of the protocol E 
succeeds in achieving her ultimate goal K A = K E = K B : 

(Pa) A performs this step in the protocol and sends message (PI). 
(Pa') E intercepts (PI), produces T E = (i, ECi(s E ^ B ),CO,CO(s E ^ B )) and sends 
message (PI') to B. (If E would anticipate an error between her and B that 
is too low, she can artificially modify her sifted key s E-H>B to increase the error 
that B registers.) 

(Pb) B performs step (Pb) of the protocol (T A -> T E ), obtains s B = s E ^ B , 

calculates the error rate, determines M B = [n B , b E=B , e / fail) , where b A=B — > 

b E=B and sends message (P2). 
(Pc) A accepts the authenticity of all the messages she has received, i.e. (S2), (S4), 

(P2), since E has not modified any message and performs step (Pc) sending 

(P3). 

(Pc') E intercepts (P3). To break the authentication of (P3), E calculates another PA 
function P E , such that P E (s E ^ B ) = K A and t 2 = g K2 (b E ,T E , P E ). To ensure 
the last condition it is sufficient that the message (6 E ,T E ,P E ) = M E collides 
with M A under the inner authentication hash function /, i.e f(M E ) = f(M A ). 
E sends (P3') to B. (If Eve would be satisfied with Alice and Bob having 
different keys, both of which she knows, Eve only searches for any PA function 
P E such that f(M E ) = f(M A ), but accepts K B = P E (s E ^ B ) = K E ^ B ^ 

(Pd) B accepts the authenticity of all the messages he has received, i.e. (S3'), (PI'), 
(P3'), since he has received a valid tag (t 2 ) and performs the final step of the 
protocol to get K B = P E (s B ) = K E = K A . 

3.5. Protocol 3 - BB84 with immediate message authentication - Bob sends bases 

This protocol is a variant of protocol 1, also using immediate message authentication. 
Only part (S), i.e. the quantum state transmission and sifting is different: After 
measuring the quantum signals, instead of sending an acknowledge message as in 
protocol 1, Bob sends his bases information to Alice (implicitly acknowledging that 
he has finished his measurements). Alice replies with her basis information. 

3.5.1. State transmission and sifting 

SUMMARY: 2 classical messages with MACs are exchanged. 
I. Setup. A and B share two keys K 1: K 2 . 
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2. Protocol messages. 
(SI) A A B : p A 



(52) A A B 

(53) A A B 



& B ,W& B ) 
& A = B , fe (& A = B ) 

3. Protocol actions. 

(Sa) same as (Sa) in protocol 1: A creates two random bit strings, d A , b A G r {0, 1}^. 

For each pair (d A , b A ) A generates the corresponding quantum state p A G 

{p°, p 1 , p 2 , p 3 }. Using Q, A sends the quantum state p A = <S)^ =1 p A ("string" 

of all p A, s), i.e. (SI), to B. 
(Sb) same as (Sb) in protocol 1: B creates a random bit string b B G r {0,1}^. B 

measures p A in bases b B and obtains d B G {0, 1, empty} N as result. For all k 

with d B = empty, B sets b B = empty. 
(Sc) Using C, B sends (S2), i.e. b B , to A. 

(Sd) A waits until she has received (S2). A calculates the bit string 6 A=B , such that 
b A=B = 1 if b A = b B , and b A=B = 0, otherwise. A removes from d A all bits d A 
where b A=B = and obtains s A . 

(Se) Using C, A sends (S3), i.e. 6 A=B , to B. 

(Sf) B removes from d B all bits d B where b A=B = and obtains s B . 

3.5.2. Post processing (P) 

This part is completely identical to part (P) of protocol 1, cf. Sec. 3.3.2 

3.5.3. Attack against Protocol 3 

Eve replaces the quantum channel between Alice and Bob, with ideal quantum 
channels and her instrumentation. Eve must be able to prepare and perfectly measure 
quantum states. She does not need a quantum memory to perform her attack. 
Essentially this attack is a modified version of the well known intercept-resend attack, 
whereby the currently discussed authentication mechanism allows Eve to conceal 
the difference between the sifted keys of Alice and Bob (of roughly 25%) in the 
postprocessing stage of the protocol. 

RESULT: Alice, Bob, and Eve share identical keys K A = K B = K E . 

1. Notation. 

b x : a string that deviates slightly from b x to reach a hash collision with a given tag 
t [used in messages (S2') and (S3')]. 

2. Protocol messages and messages inserted by Eve (marked by '). Let t\ = gjc^b 3 ), 

t 2 = fe(& A=E ), *3 = 9K 3 (T A ), t 5 = 9 K 5 (P A )- 

(SI) A E : p A 



(SU) E^UB 
(S2) E^B 



b B M 
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b E ,h 

b A=E ,h 
b E = B ,t 2 
T A ,h 
T E ,h 

£,9K 4 (t) / fail, g K4 (f ail) 
P A M I 
P E ,h I 
3. Protocol and attack actions. 

(Sa) A performs step (Sa) of the protocol. 

(Sa') E creates a random bit strings, b E G r {0, 1}^. E intercepts (SI) from A and 
measures p A in bases b E , she obtains d E . For each pair (df, bf), E prepares the 
corresponding quantum state pf and sends (SI') to B. 

(Sb) B performs step (Sb) of the protocol (p A — > p E ). 

(Sc) B performs step (Sc) of the protocol, i.e. he sends (S2). 

(Sd') E intercepts (S2) and performs A's step (Sd) of the protocol(6 A=B b E=B , 

b A — y b E ) and obtains her sifted key with Bob, s E ^ B . 
(Sc') E calculates b, such that the intercepted t\ validates b and dn(b , b E ) is small. 

She then performs B's step (Sc) of the protocol (b B — y b E ), i.e. she sends (S2') 

to A. 

(Sd) A performs step (Sd) of the protocol (b B — > b E , b A=B — > b A=E ), she obtains 
6 A=E (which is defined by b A=E = 1, if b A = bf , and b A=E = 0, otherwise) and 
s A . 

(Se) A performs step (Se) of the protocol (b A=B — > b A=E ), i.e. she sends (S3). 
(Sf) E intercepts (S3) and performs B's step (Sf) of the protocol (d B — y d E , 

b A=B — y b A=E ) and obtains (approximately) her sifted key with A, s E ^ A . 

(There are small deviations between s A and s E ^ A since E had to send b E 

instead of b E ). 

(Se') E determines the string b E=B , such that bf =B = 1, if bf = bf, and bf =B = 0, 
otherwise. E then calculates the string b E=B , such that the intercepted t 2 
validates b E=B and dH(b E=B , b E=B ) is small. Now E performs A's step (Se) of 
the protocol (6 A=B 6 E=B ), i.e. she sends (S3'). 
(Sf) B performs step (Sf) of the protocol (b A=B —y b E=B ), and obtains his sifted key, 
s B (there are small deviations between s B and s E ^ B since E had to send 6 E=B 
instead of b E=B ). 

Note: Now Eve possesses almost identical copies of Alice's and Bob's keys, 
respectively: s A ~ s E ^ A and s E ^ B f=s s B (while s A and s B will differ in 
approximately 25% of the bits due to Eve's quantum intercept-resend attack). The 
subsequent steps allow Eve to transform her key s E ^ A into s A and make Bob 
transform his key s B into a new key s B , which she knows: 



(S2') A ^- E 

(S3) A A E 

(S3') E^B 

(PI) A^E 

(PI') E^B 

(P2) A ^— B 

(P3) A E 

(P3') E^B 
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(Pa) A performs step (Pa) of the protocol, i.e. she sends (PI). 

(Pb') E performs B's step (Pb) of the protocol, i.e. she intercepts (PI) to learn the 

syndrome ECi(s A ), and corrects her sifted key s E ^ A to s A . 
(Pa') E performs A's step (Pa) of the protocol, but modifies her key s E<H-B such that 

PC E (s E<H,B ) will allow B to correct his sifted key to the modified s E ^ B and that 

the resulting (PI'), i.e. T E = {i, ECi{s E ^ B ),CO,CO{s E ^ B )), is compatible 

with tag £ 3 . E sends (PI'). 
(Pb) B performs step (Pb) of the protocol, i.e. he corrects his sifted key s B and 

obtains s B . Now Eve shares s A with Alice, and s B with Bob. 
(Pc) A performs step (Pc) of the protocol, i.e. she determines a privacy amplification 

function P A , applies it to her sifted key, and obtains K A = P A (s A ). A sends 

(P3). 

(Pc') E intercepts (P3) to learn the privacy amplification function P A and thus A's 
final key K A . E calculates another PA function P E such that P E (s B ) = K A 
and that (P3') is compatible with tag £5. 

(Pd) B performs step (Pd) of the protocol, i.e. he applies P E and gets K B = 
P E (s B ) = K A . 

Again, Eve managed to break the protocol completely, as she knows Alice's and Bob's 
shared "secret" key. 

3.6. Implications of protocol modifications on the presented attacks 

3.6.1. No separate step for transmitting the privacy amplification function In [201 P- 83] 
it has been proposed that the privacy amplification function P A is not transmitted in a 
separate protocol step (our step (P3)), but can be constructed from previously exchanged 
basis information ([3] uses this method to counter the attack described in [3]). However, 
no strict security proof of the resulting protocol has ever been put forward. 

For the discussed two-step authentication our attack against protocol 1 still works 
without step (P3) since we don't attack the post processing step at all. Also the attack 
against protocol 3 still works without step (P3), but is not so powerful. Since Eve 
has complete knowledge of the basis information, she can just apply the respective PA 
function individually to her keys with Alice and Bob. Consequently, Eve will know 
Alice's and Bob's final keys which will be, however, different. 

The case of protocol 2 is slightly more complicated but the outcome is identical to 
that of protocol 3. In this case the last communication message from Alice to Bob is (PI), 
and, naturally, it has to be extended to carry also the authentication tag t 2 = ^^ 2 (M A ), 
whereby now M A = (b A , T A ). Eve will have to modify her attack. Now she has to look 
for an error correction syndrome T E , so that M E = (6 E ,T E ), collides with M A under 
the inner authentication hash function /, i.e f(M E ) = f(M A ). To do so Eve is free 
to modify her sifted key s E ^ B ->• S E ^ B , so that T E = (i, Ed(s E ^ B ), CO,CO(s E ^ B )) 
would ensure the required collision. As in the case of protocol 3 Eve has complete 
knowledge of the bases of Alice and Bob. She can again apply the respective PA 
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functions independently and obtain the final keys of Alice and Bob, which differ one 
from the other. 



3.6.2. One-time pad encryption of the error correction syndrome Ref. [21] presented 
a protocol in which parity bits are encrypted with a one-time pad (using key that is 
preshared or generated in previous rounds). Since Alice and Bob use in addition a 
(large) key which is not known to Eve, one could expect that attacks will be impossible. 
Nevertheless, we will briefly outline modified attacks against such a protocol. 

If Eve uses a quantum memory in her attack she will learn Alice's complete sifted 
key. Therefore, she can calculate the exact syndrome, that Alice will OTP-encrypt and 
send. From the plain and encrypted syndrome, Eve gets the one-time pad, encrypts her 
syndrome with it and continues the attack. 

If Eve performs an attack without quantum memory, her and Alice's sifted key 
will differ in a small number of bits (the Hamming distance w of the two keys), the 
positions of which are known to Eve. Thus Eve can create the set of all possible sifted 
keys of Alice of size 2 W , which is only a very small subset of all possible keys of length 
approximately n/2, and is also smaller than the set of all possible message tags. Then 
Eve decides randomly to take one element of this set to be Alice's sifted key. Compared 
to a guess without previous knowledge she could dramatically increase her chances of 
guessing correctly, although the probability is still quite low, i.e. p = 2~ w . Assuming 
she has guessed correctly, she can now calculate the syndrome that Alice has sent, and 
thus get also the one-time pad. She uses it then for encrypting the syndrome that she 
sends to Bob. 



3. 7. Overview of attack approaches for adversaries with and without quantum memory 

Up to now we have presented three attacks in which Eve on receiving a protocol message 
from Alice (Bob) sends either the original message or a modified one to Bob (Alice). In 



Sec. |3.8| we will present a different kind of attack. The attacks presented so far are not 
isolated cases of adversary success strategies in the case of weak authentication that uses 
the approach of Ref. [3j. The attacks are actually made up of building blocks that can be 
combined and applied in a wide variety of settings. We illustrate this fact by presenting 
a systematic overview of successful attacks against a range of protocols comprising the 
cases of sifting being started by Alice or Bob, authentication being immediate or delayed. 
Moreover for all the cases we distinguish between two levels of adversary resources: i) 
"classical only", i.e. sufficiently high computing power or ii) "quantum and classical", 
i.e. a combination of quantum resources (quantum memory) and classical ones (as in 
i)). These attacks are summarized in Tables [2] and [3] The attacks are not described 
in full detail and the tables focus on the adversary activities alone. The full attacks, 
can however be easily deduced by comparing the table contents referring to Attacks 1, 
2 and 3 with the detailed description for these cases, given above. 



Furthermore, using arguments similar to those presented in Section 3.6 one can 
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Table 2. Overview of attacks against the sifting stage of different protocol variants. 
QM denotes whether Eve uses a quantum memory in her attack. The notation 
"Protocol 1-3" refers to the protocols and corresponding attacks described in full 
detail above. p E (& E .<i E ) denotes the quantum state which encodes the bit string d E 
in bases 6 E . denotes that two sifted keys deviate only weakly (error correction can 
reconcile them). 96 denotes a deviation of two sifted keys by typically 25%. If not 
otherwise stated, E performs sifting with the appropriate bases of A and B. 



QM Immediate Authentication 



Delayed Authentication''' 



Y 


Protocol 1 -Interleaving attack: 




Protocol 2-Interleaving attack: 




E stores p A in quantum memory, 
E sends random p E (b E , d E ) to B, 
E substitutes b E for b A , 
E measures p A in b A and learns d A , 
E calculates 6 A=E to force 

E substitutes b A=E for b E=B . 


E stores p A in quantum memory, 
E sends random p E (b E , d E ) to B, 
E substitutes b E for b A , 
E measures p A in b A and learns d A , 
E listens to b E=B (no substitution!). 


,.A _ „E«A ^ „E«>B ^ ,,B 


(Case 1) 




(Case 2) 



N 



Intercept-res end attack: 

E measures p A in b E and gets d E , 

E sends p E (b E ,d E ) to B, 

E substitutes b E for b A , 

E substitutes 6 A=E for 6 A=B . 

(Case 3) 



; A g E ^ A ^ S E ^ B 



One-sided intercept-res end attack: 

E measures p A in b E and gets d E , 

E sends p E (b E ,d E ) to B, 

E substitutes b E for b A , 

E listens to b E=B (no substitution!). 

(Case 4) 



^ s^ A ^ s 



E-H>B 



Y 



N 



Interleaving attack: 

E stores p A in quantum memory, 

E sends random p E (b E , d E ) to B, 

E listens to b B (no substitution!), 

E measures p A in b B , 

E listens to b A=B , determines s E ^ A , 

E substitutes b E=B for b A=B . 

96 s EoB « s B I (Case 3) 



Interleaving attack: 

E stores p A in quantum memory, 

E sends random p E (b E ,d E ) to B, 

E listens to b B (no substitution!), 

E measures p A in b B , 

E listens to 6 A=B , determines s E ^ A , 

E substitutes b E=B for 6 A=B . 

96 s EoB = s B (Case 2) 



Protocol 3-Intercept-resend attack. 



E measures p A in b E and gets d E , 

E sends p E {b E ,d E ) to B, 

E substitutes 6 E for b B , 

E substitutes 6 E=B for b A=B . 

(Case 3) 



3 A ? EoA ^ ^E^B 



One-sided intercept-res end attack: 
E measures p A in b E and gets c? E , 
E sends p E (b E ,d E ) to B, 
E listens to b B (no substitution!), 
E substitutes b E=B for 6 A=B . 

(Case 4) 



96 s E ^ A ^ s 



E-H>B 



'''In these cases E does not substitute messages from B to A. 
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Table 3. Overview of four attack classes against the protocol stages after sifting. The 
attacks pertain to the output of sifting, which according to Table [2j yields four different 
types of correlations between the sifted keys of A, E, and B: two for immediate (cases 
1, 3) and two for delayed authentication (cases 2, 4), respectively. Note, that for the 
sake of simplicity we do not use the "hat" notation for error corrected keys. 



Immediate Authentication 



Delayed Authentication"'" 



JoA 



(Case 1] 



EC: E does nothing. 



result: 



JoA 



PA: E listens to the PA function P A , 
E calculates K E := P A (s E ^ A ). 



result: K A = K 



E 



K 1 



J«A 



96 S 



E«>B 



(Case 2) 



EC: E intercepts T A , 
E calculates T E , 
E sends T E to B. 



result: 



J«A 



96 S 



PA: E intercepts the PA function P , 
E calculates K E := P A {s E ^ A ), 
E calculates new PA function P E , 
E sends P E to B. 



result: 



K J 



K E = K 1 



EC: E intercepts T A , 



(Case 3) 



E corrects s E ^ A , obtains s A , 
E modifies s E ^ B , calculates T E , 
E sends T E to B. 



result: 



„EoA 



96 S 



E^B 



PA: E intercepts the PA function P , 
E calculates K E := P A (s E ^ A ), 
E calculates new PA function P E , 
E sends P E to B. 



result: 



K J 



K = K 



s A 96 s EoA 96 S 

EC: E intercepts T A , 
E calculates T E , 
E sends T E to B. 



(Case 4) 



result: 



56 s E ^ A ^ s 



E«-B 



PA: E intercepts the PA function P A , 
E calculates K E := P A (s E ^ A ), 
E calculates new PA function P E , 
E sends P E to B. 

K A ^ K E = K B 



result: 



^In these cases E does not substitute messages from B to A. 



construct attacks against modified versions of these protocols, including encryption of 
error- correct ion information and reuse of common, sifting-stage randomness for privacy 
amplification without communication. 

3.8. Another attack against Protocol 2 (Eve attacks in both directions) 

In our previous attacks Eve substitutes certain messages but sticks to the original 
message order of the protocol. In the following attack Eve exchanges a sequence of 
messages with Alice first. When she needs to send an authentication tag to Alice, she 
starts her communication with Bob and continues until she obtains the necessary tag 
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from him. Then Eve continues her communication with Alice. 

In contrast to the previous attack against protocol 2 (cf. Sec. 3.4.1) this attack 
allows Eve to modify also messages that are sent to Alice. 

1. Protocol messages and messages inserted by Eve (marked by '). Let t\ := gx 1 (M B ), 
and remember that t 2 : = 9k 2 {M a ). 

(51) A A E : p A 
(S2') A 

(53) A 
(SI') E 

(52) E ■ 
(S3') E 

(54) E ■ 
(PI') E 
(P2) E 
(S4') A 
(PI) A 
(P2') A 
(P3) A 
(P3') E 



E 
E 
E 
B 
B 
B 
B 
B 
B 
E 
E 
E 
E 
B 



n E 
b A 

P E = P J 

,B 



n 

b E = b A 

6 E=B 

e I fail, t\ 
b E=B 

rpA 

e / fail, ti 

P A MI- 

P E ,t 2 /- 
2. Protocol and attack actions. 

(Sa) A performs step (Sa) of the protocol (prepares p A and sends it in (SI)). 

(Sc') E intercepts (SI) from A and stores p A in her quantum memory. E sends an 

arbitrary number n E (S2') to A to trigger A's next message. 
(Sd) A performs step (Sd) of the protocol: she sends (S3), i.e. b A . 
(Sd') E intercepts (S3), measures p A in A's preparation bases b A , and obtains A's 

rawkey d . 

(Sa') Using d A and b A , E prepares an identical copy of p A and sends it (SI') to B. 
(Sb) , (Sc), (Sd"), (Se), (Sf) E (instead of A) and B follow the protocol-whereby 

sending (S2), (S3'), (S4)-until they obtain their sifted keys s E ~ s B . 
(Pa') , (Pb) E (instead of A) and B follow the protocol-whereby sending (P1'),(P2)- 
and reconcile their sifted keys. 
On receiving (P2) E has learned M B and the tag ti and can now continue her 
communication with A. 

(Se') E calculates a message b E=B such that (i) it is close to b E=B and (ii) 
M A ^ E := (n E , 6 E=B , e / fail) collides with M B under the inner hash function 
/, i.e. f{M A ^ E ) = /(M B ). E sends b E=B to A (S4'). 
(Sf) , (Pa) A calculates her sifted key s A , and sends (PI). 
(Pb') E intercepts (PI) and can correct small errors introduced during quantum 
storage or measurement of p A . Using the original tag t\, E forwards (P2') = (P2) 
to A. 
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(Pc) Since f(M A ' lr ~ E ) = f(M B ), A accepts the message as authentic, calculates P A 

and K A = P A (s A ), and sends (P3) with tag t 2 . 
(Pc') E calculates a PA function P E (and obtains K E = P E (s B )) such that (i) 

P E (s B ) = K A , and (ii) M E ^ B := (6 E ,T E ,P E ) collides with M A under /. 

E calculates P E (s B ), and sends (P3') with tag t 2 to B. 
(Pd) B calculates K B = P E (s B ). 

Eve shares a common "secret" key with Alice and Bob. In case that E cannot achieve 
condition (i) in step (Pc') she will get two individual keys with A and B. In both 
cases, protocol 2 is completely broken by the presented attack. 



3. 9. Discussion of attacks 

The degree of success of the eavesdropper varies from protocol to protocol and ranges 
from a complete three party identity of the generated key - K A = K E = K B , to 
"separate worlds" outcome - K A = K E ^ A ^ x E ^ B = K B (e.g. in a case of privacy 
amplification with no communication), to a successful attack over one of the legitimate 
parties (calling for a subsequent isolation of the other)- i.e. K A ^ K E = K B . Moreover 
the success can be achieved either deterministically or sometimes only probabilistically 
as in certain cases of encrypted transmission of error correction information. 



This analysis underlines what was already mentioned in Section 3.2 As the attack 
mechanism fundamentally requires finding hash collisions of the internal authentication 
function that are useful to the eavesdropper, the different protocol versions discussed 
above, allow inequivalent optimal adversarial approaches. As it is to be expected, 
the availability of quantum resources simplifies the task of the eavesdropper but does 
not automatically lead to more powerful attacks. On the other hand immediate 
authentication also provides a leverage to the attacker as she does not have to correlate 
all her actions across the post-processing chain. This gives the somewhat counter- 
intuitive observation, that fewer authentication tags result in more difficulty for the 
attacker if he wants to keep the original message order! Furthermore sifting initiated 
by Bob also poses more difficulties to Eve as she can not learn the full information 
of Alice as is in the opposite case. Finally if part of the postprocessing information 
remains unknown to the eavesdropper, as in the case of encrypted reconciliation, then 
a deterministically successful attack strategy is not always guaranteed. 

With all this said it must be underlined that Eve can find useful collisions only if 
she can fake the protocol communication by hiding her modifications in the typically 
available random degrees of freedom. If such are unavailable or strongly reduced (as 
e.g. in the case of protocols with delayed authentication or with communication-less 
privacy amplification) the room for attack is narrowed resulting in a number of cases 
in "separate world" or even "one-sided" adversarial success. Still in all discussed cases 
there always exists an attack strategy that renders the corresponding protocol version 
insecure. 
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4. Countermeasures 

We will now propose a countermeasure that mitigates or, at a cost, prohibits the 
attacks exemplified in the previous section. One could consider encrypting parts of the 
communication between Alice and Bob EI] , but we will concentrate on strengthening 
the two-step authentication below. As we shall see, there are a number of possibilities 
ranging from increasing Eve's need for large computational power, all the way to 
information-theoretic security. As can be expected, the cost of this security improvement 
comes in the form of an increased secret key consumption. 

Let us first consider the main enabler of the attacks presented in the previous 
section. The reason that the attacks are possible is that when Eve receives (or intercepts) 
Alice's message, she can immediately check if her message m E coincides with Alice's 
under the publicly known hash function /. If not, Eve is free to choose another message 
m E that does coincide with Alice's under /, although in some situations there is a small 
price to pay as described above. To prohibit this we should make it difficult or impossible 
for Eve to check for this coincidence. The essence of our proposed countermeasure is 
to use an extra bitsequence to make the output of the public hash function difficult to 
predict, or even secret, to Eve. This is done in the following way: prepend an extra 
bitsequence S to the message and authenticate the result. Instead of using the tag 
t = 9K(jn) = hK(f(in)), use the tag t = gK(S\\m) = hK(f(S\\m)). If, for example, S is 
random and secret to Eve, then the output f(S\\m) will also be secret to Eve, and she 
will not be able to search for coincidences in the above manner. 

It should be stressed that S should be prepended to the message before applying /. 
The bitsequence S should not be concatenated with f(m). The reason for this is fairly 
obvious. If S is concatenated with f(m) so that t = hK(S\\f(m)) or t = h,K(f(Tn)\\S), 
then Eve can still apply her original attack strategy. All Eve needs in this case is still 
to find a message that collides with Alice's message under /. We should also stress 
that for certain classes of hash functions, prepending S to the message has advantages 
over appending to m (so that t = h K (f(m\\S))). When using iterative hash functions 
like SHA-1 to calculate f(m\\S), Eve can ignore S and search instead for a message 
m' such that f{m!) = f(m). This is known as a partial-message collision attack, see 
Chapter 5 in Ref. [22]. If / is computed iteratively, f(m') = f(m) will automatically give 
f(m'\\S) = f(m\\S) (with appropriate block lengths). This is prohibited by prepending 
S instead, to use f(S\\m). 

Of course, a random secret S would consume secret key, and this may not be 
desirable. Selecting S can be done in a few ways, and these are the alternatives (including 
a random secret S): 

A salt, a random but fixed public bitstring, per device or per link. This would not 
make Eve's task much harder, but it would help a little in certain situations: for 
some messages, such as preparation and/or measurement settings, Eve does not 
need to use a random bitstring. She can use a fixed (random-looking) bitstring and 
for that message, a pre-calculated table of messages with low Hamming distance and 
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their corresponding intermediate tags [5]. Even though a full table might have an 
excessive number of entries (2 256 is a large number), a partial table could ease Eve's 
calculational load (as in a rainbow table), or alternatively increase her probability 
of success. A salt would force Eve to create the table anew for each device or link. 

A nonce, a random public bitstring, per authentication attempt. This may seem like 
a big improvement because it seems Eve cannot use a pre-calculated table, forcing 
her to make the calculations online. However, the nonce needs to be transmitted 
from Alice to Bob or vice versa, and is not separately authenticated, since this 
would need secret key better used elsewhere. A nonce can therefore be changed in 
transit by Eve, and this increases her possibilities. Authenticating a message from 
Alice to Bob, there are two sub-alternatives: 

a) The nonce is generated by Alice and sent to Bob together with the tag, and 
Eve can change it in transit. 

b) The nonce is generated by Bob and sent to Alice after he has received the 
message. One alternative for Eve is to commit to a message so that she can 
receive the nonce from Bob, and then change the nonce in transit. In effect, 
she can now change Alice's message since that contains the nonce. 

In both cases, Eve needs to find a collision online, but Eve now has a message part 
that she can change to any value she desires. Therefore, her attack is easier in this 
setup, not more difficult. 

Fixed secret key, a random but fixed secret bitstring, per device or per link. In 
this case, Eve cannot apply the previous attack on the authentication, because 
she cannot check for collisions directly since f(S\\m) is secret to her. To search 
for a message m' useful to Eve (i.e., having low Hamming distance to m E ) such 
that f(S\\m') = f(S\\m) has maximal probability (given the distribution of S) is 
computationally very costly. Moreover, we expect this maximal probability to be 
very low, but an upper bound is difficult to obtain and depends on details of the 
hash function, see below. 

As regards using a fixed secret [23], if Eve has partial knowledge, no matter how 
small, on the secret key K identifying hx, this information will accumulate over 
the rounds as information on 5*. Remember that after the initial pre-shared key is 
used up, K will consist of QKD-generated key that is e-perfect (the trace distance 
between the probability distribution of the key and the uniform distribution is e), 
where e is nonzero. Therefore, after a large number of rounds, this reduces to using 
a random fixed public bitstring (salt) as discussed above. 
Secret key, a random secret bitstring, per authentication attempt. Here also, Eve 
cannot apply the previous attack on the authentication, because she cannot check 
for collisions directly since f(S\ \m) is secret to her. The situation is almost identical 
to the fixed secret key case but Eve's task is even harder as she cannot accumulate 
information on S. 

This countermeasure is simple to implement, and the last alternative above seems 



Attacks on QKD protocols that employ non-ITS authentication 



27 



preferable, if only the key consumption is low. Choosing S to be of the same size as the 
tag gives a high computational load on Eve, and is efficient in terms of key consumption. 
It is, however, difficult to estimate the probability of success for Eve, if she has large 
computational power. 

Let us examine what conditions need to be fulfilled to make the two-step 
authentication ITS. If the last alternative above is used, it is clear that we want a 
low probability of collision for a random value of S. And this is obtained if two 
distinct messages collide under / only for a small number of values of S. More 
formally, let S be the set of values of S. Then, if for any two distinct m 1; m 2 G M. 
\{S E S : f(S\\mi) = f(S\\m 2 )}\ < e'\S\, we automatically have a low collision 
probability. A close look at the above condition would tell us that it is precisely the 



condition for a family of hash functions indexed by S to be e'-Al^ (see Appendix C). 
The following theorem states that this condition is necessary and sufficient to restore 
ITS. 

Theorem 1. Let Ai, Z and T be finite sets. Let T be a family of hash functions from 
M. to Z, Ti a family of SU2 hash functions from Z to T ', and Q := H o T , where o 
stands for element-wise composition. Then Q is e-ASU2 if and only if J 7 is e'-AU2, 
where e = e'(l - 1/|T|) + l/\T\. 



The proof can be found in Appendix C Thus, to make the two-step authentication 



ITS, we should construct our fixed public hash function / with the help of an AU2 hash 
function family T as follows: 

f(S\\m) = f s (m), f s eF. (2) 

In words, / separates S from the concatenation S\\m and uses it as index to select from 
the hash function family iF an individual member f$ which is applied to the original 
message m. 

Theorem [l] makes it possible to relate the message length log|.M|, the security 
parameter e', and the key consumption of the system. Let us aim for a final e-ASU2 
family with e = 2/|T| — 1/|T| 2 , i.e., e' = l/\T\. Then, the bound by Nguyen and Roscoe 
pi] is tight: 

|^>|Tl[log|A4|/log|Z|-ll. (3) 

In [21] there are two lower bounds, but both can be written in this way. The bound 
applies when e'\Z\ > 1 + log |>£|/(log \JA\ — log|Z|). The optimal family [24J is that 
of polynomial evaluation hashing over finite fields [25H27] . Therefore, using polynomial 
hashing with \IF\ = \Z\, we can authenticate messages as long as 

log \M\ < & + l)\og\Z\. (4) 

For example, if \Z\ = 2 256 , |T| = 2 64 and e = 2~ 63 — 2~ 128 , then messages of length 
log \ Ai\ < 2 200 w 10 60 bits can be authenticated. The second step of the authentication 
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uses an SU2 hash function Z — > T, which needs a key of length at least log \Z\ + log |T| 
bits pm 125) . Thus, the total required key length is 2 log |iT| + log |T|, in this case 576 
bits. By adjusting \Z\ to the maximum message length, this scheme can authenticate 
one terabit (petabit, exabit, zettabit, yottabit) of data using 260 (280, 298, 318, 338) 
bits of secret key. 

This construction makes the two-stage authentication ITS at the price of increasing 
the key consumption slightly. There are other efficient constructions of ASU2 hash 
functions as well, see e.g., [9~| I28H30] . Some of these authenticate message of arbitrary 
length with fixed key consumption at the price of a varying e, while others have fixed 
e but varying key consumption. They also vary in terms of their computational speed. 
The numbers are in the same range as the above presented ITS authentication, and all 
mentioned schemes are reasonably efficient. 



5. Conclusions 



The main conclusion of our extensive analysis is: do not use non-ITS authentication 
in QKD if you want to achieve ITS security. This may sound rather obvious but 
nevertheless in our oppinion it is always good to know what exactly goes wrong if you 
break the rules. 

So, we have presented a comprehensive case study of attacks that compromise QKD 
in the non-ITS authentication setting of [3], that creates message tags by composing 
an inner public hash function with an outer function from a strongly universal hashing 
(SU 2 ) family. From the point of view of the attacker, who is equipped with unbounded 
computing resources, this composition has the following properties: (i) inserting a 
randomly chosen message or substituting messages with a randomly chosen message is 
as hard as in the SU2 case and thus cannot be used in attacks, (ii) but more interestingly, 
substituting a message with another that collides under the public hash function will 
always work. As has been shown previously [3] property (i) does prohibit straightforward 
MITM attacks (cf. Definition [T| . 

The sophisticated MITM attacks dicussed here capitalize on property (ii) to 
successfully target many QKD protocol versions: protocols that use individual 
authentication of each message, or that use delayed authentication of all messages, 
protocols where Bob sends an acknowledgement message to trigger Alice's sifting 
message (containing her bases choice), or where Bob directly sends his bases choice, 
see Tables [2] and |3j All the attacks are enabled by the fact that the number of messages 
that collide with a given protocol message (or sequence of messages) of typically at least 
several hundred bits is extremely huge. Therefore, almost certainly (see Sec. 3.1) there 
exists at least one colliding message that allows the eavesdropper to perform her attack. 
In some attacks Eve needs less computing resources if she possesses quantum memory. 

We stress that the discussed attack pattern is not restricted to one single instance, 
the specific authentication mechanism of Ref. [3] that we study here. We conjecture, 
that whenever property (ii) holds, i.e. collisions can be found, and the protocol does 
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not use additional secret key [51 E] (e.g. for encryption of messages) the adversary 
can compromise the security of the key generated by QKD, following an interleaving 
approach along the lines of that discussed in this paper. 

The countermeasures discussed in this paper use more secret key, specifically to 
prevent finding collisions. Prepending secret key material to the message, before 
applying the public hash function, will increase the computational resources needed 
for a successful attack substantially, at a low cost in terms of key material. 

Furthermore, we can achieve Universally- Composable Information-Theoretic 
Security of the authentication scheme of [3] by replacing the publicly known hash 
function with an Almost Universal function family. This requirement is necessary 
and sufficient for ITS of the two step authentication; the necessity of this condition is 
also a new result of this paper. 
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Appendix A. Proof of Lemma [I] 

Lemma 1. Let B be the closed ball of all messages m having a Hamming distance to 
m E not exceeding w: 

B = {m : dH(m,m E ) < w} , 

and let us assume that f maps all messages in B randomly onto Z. Then the probability 
that at least one of the messages in B is validated by the given tag t = hx(f(rn A )) is 

V™* = Pr {3m E E B : h K {f{m E )) = t)} > 1 - exp (-\Bl\Z\- 1 ) . 

For simplicity we can loosen the bound and replace \B\ by ( ) < \B\, where I is the 
length of the binary message m E . 

Proof. By assumption, the probability that / maps any (randomly chosen) message m 
of B onto any fixed value z of Z is l/\Z\: 

m e R B,Mz G Z : Pr{/(m) = z) = 1/\Z\. (A.l) 

Applying hx to f(m) and z in the argument of Pr (which potentially increases the value 
of the probability), setting z = f(m A ), and using t = hK(f(m A )) we obtain 



me R B:Pr{h K (J(m))=t}>l/\Z 



(A.2) 



Attacks on QKD protocols that employ non-ITS authentication 



30 



Consequently, the probability that t authenticates at least one message of all \B\ different 
messages in B is at least f — (f — , and using that (f — l/n) n < e" 1 for n > 1 

finishes the proof. Finally \B\ = ELo Q > Q- D 

If desired, l/\2\ can be replaced by any lower bound on the probability to allow 
for non-uniform distributions. 

Appendix B. Subsequence problem 

Eve is given two fixed bit sequences, s E ^ B (sifted key that Eve wants to achieve) and 
d A (the raw key of Alice). Her goal is to find a subsequence of d A that coincides with 
s E . 

Appendix B.l. Algorithm that finds a subsequence 

First we give a simple algorithm that takes two sequences s = si\s 2 \ ■ ■ ■ \s m , 

S — Si\S 2 \ ■ ■ ■ \S n as inputs and returns the index set J — {j±, . . . , j m } — {ji : Sj i = s^} 

if s is a subsequence of S (denoted s ^ S). 

Algorithm A find subsequence(s, S) 

Input: two non-empty binary sequences s and S. 

Output: index set J if s is a subsequence of S, else 0. 

% <- 1, j <- 1, m <- length(s), n <- length(S'), J ^ 
do 

if Si = Sj then / / we found one bit of s 

J 4— J U {j} ji store position 

i ^— i + 1 // compare next bit of s 
endif 

j ^— j + 1 // compare next bit of S 

while (i < m and j < n) / / neither end of s nor end of S reached 

if % < m then return endif / / end of s not reached, but end of S reached 
return J 



Appendix B.2. Probability for finding a subsequence in a random sequence 

We assume that both sequences consist of i.i.d. Bernoulli trials with p(0) = p(l) = 1/2 
and calculate the (success) probability that s =4 S. 
s =4 S iff S is of the form 

S = s~i\ . . . |si|si|s 2 | • • • \s2\s2\ ■ ■ ■ \s m \ ■ ■ ■ \s m \s m \xi\x 2 \ (B.l) 

Here, Sj denotes the negation of Sj (written above as Sj to improve readability), while 
each Xi can independently take value or 1. All sequences Sj \ ■ ■ ■ \sj are optional. Let 
S be the number of different valid sequences, i.e. sequences S, that contain s as a 
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subsequence. Obviously S does not depend on s, but only on m and n. To calculate S 
we can therefore choose s to be the all zero sequence of length m. Consequently, S is 
equal to the number of different binary sequences of length n that contain at least m 
zeroes. The success probability 

Prob{s ^ S} = S/2 n = 2-" (f) ■ ( B - 2 ) 

l=m ^ ' 

Appendix B. 3. Application to Eve 's attack 

Note that Eve wants to find the sifted key s E-H>B in Alice's raw key d A . If both bases are 
used with equal probability (as in standard symmetric BB84), then m ~ n/2. Obviously, 

Probjs ^ S} > - <= m < \n/2\. (B.3) 

However, it is not necessary, that s is an exact subsequence of 5*. We can allow 
for some errors that will be removed during the subsequent error correction step. Using 
Hoeffding's inequality (Theorem 1 in Ref. [21]) we can give a non-tight (but exponential) 
lower bound on Prob{5 ^ S} if we allow for approximately k errors in the resulting 
subsequence s: 

( 2k 2 \ 

Prob{5 S} > 1 - exp I J <= rh = [n/2\ - k. (B.4) 

Here, only rh bits of s form a subsequence of S. For moderate values of k this probability 
reaches almost unity. 



Appendix C. Universal hash functions and proof of Theorem [T] 

In the following we give definitions of (Almost) Universal and Strongly Universal hash 
function families; see e.g., [TO] . 

Definition 3 (e- Almost Universal (e-ALy hash functions). Let M. andT be finite sets. 
A class % of hash functions from M. to T is e-Almost Universal if there exist at most 
t\H\ hash functions h e % such that h(mi) = h(m2) for any two distinct mi, m 2 G Ai . 

If e = 1/|T|, then Ti is called Universal (U2). 

Definition 4 (e- Almost Strongly Universal (e-ASLy hash functions). Let M. and T 

be finite sets. A class % of hash functions from Ai to T is e-ASU2 if the following two 
conditions are satisfied: 

(a) The number of hash functions in H that takes an arbitrary nil G M. to an arbitrary 
t\ G T is exactly \K\j\T\. 

(b ) The fraction of those functions that also takes an arbitrary m 2 7^ mi in Ai to an 
arbitrary t 2 G T (possibly equal to t\) is at most e. 

If e = l/\T\, then 7-L is called Strongly Universal (SU 2 ). 
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Below, we have restated Theorem [T] together with its proof. This theorem states 
that the composition of a hash function family with an SU2 family will form an ASU2 
family if and only if the first family in the composition is AU2. The "if" part follows 
from the composition theorem [10] , but the below proof simultaneously handles "if and 
only if" . 

Theorem 1. Let M., Z and T be finite sets. Let T be a family of hash functions from 
M. to Z, % a family of SU 2 hash functions from Z to T ', and Q := H o T , where o 
stands for element-wise composition. Then Q is e-ASU2 if and only if J- is e'-AU2, 
where e = e'(l - 1/|T|) + l/\T\. 



Proof. For Q to be e-ASU2, there are two requirements (Definition |4j). The first, on 
\{g : g(m) — t}\, needs no properties of J 7 , because, for any m 6 A4 and t e T, 



\{g : g(m) = f}| = £ |{/ = /H = 4110* ■ h{z) = t}\ 

z 

\H\ ,„,\H\ 



Y \{f : f(m) =z}V£r= |JS = i^- 

jy ' n \r\ 1 'in \t\ 



(C.1) 



The second requirement is a bound for 
\{g : g{m l ) = t u g{m 2 ) = t 2 }\ 

= J2 \{f ■ /K) = = z}\\{ h ■ K*) = h, Kz) = t 2 }\ 

z 

+ £ |{/ : /(mi) = Zl , f{m 2 ) = z 2 }\\{h : h{z x ) = h, h{z 2 ) = t 2 }\, 

Zl^Z2 



(C.2) 



for any two distinct mi, m 2 e M. If t\ ^ t 2 , the first term above will be zero because 
h(z) will never equal both t\ and t 2 . If instead t\ = t 2 = t, the first term simplifies to 

£ |{/ : /(mi) = /(ma) = z}\\{h : h(z) = t}\ = \{f : /(mi) = /(m 2 )}S. (C.3) 

The second term is 

£ |{/ : /(mi) = zi, /(m 2 ) = z 2 }||{/> : = *i, ^2) = * 2 }| 

(c _ 4) 

= (m-|{/:/(m 1 ) = /(m 2 )}|)j^L 

and this can be bounded by |{?|/|T| 2 only using properties of %. Thus, if t% = t 2 the 
first term needs a bound for collisions within J 7 , while the second only needs properties 
of H, and we obtain 

1 I "7 I I ^/ 1 

\{g : ff(mi) = h, g{m 2 ) = t 2 }\ = \{f : /(mi) = /(m 2 )}| ^ tl)ta - t^t J t^t + 7^, (C.5) 
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where St lt t 2 = 1 if ti = £2 an d otherwise. This makes the second requirement on Q 
equivalent to T being e'-AU 2 : 

Q\ 1 \ l<7| , 101 



|{# : #Oi) = ti,g(m 2 ) = t 2 }\ < = e(l 
\{f:f(m l ) = f(m 2 )}\<e'\n 



in v in; in m 2 , x 

(C.6) 



□ 
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